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^ ■ Abstract 

We approach the hidden subgroup problem by performing the so-called pretty good mea- 
surement on hidden subgroup states. For various groups that can be expressed as the semidirect 
product of an abelian group and a cyclic group, we show that the pretty good measurement is 
optimal and that its probability of success and unitary implementation are closely related to an 
average-case algebraic problem. By solving this problem, we find efficient quantum algorithms 
for a number of nonabelian hidden subgroup problems, including some for which no efficient 
algorithm was previously known: certain metacyclic groups as well as all groups of the form 
xi 1i p for fixed r (including the Heisenberg group, r = 2). In particular, our results show 
that entangled measurements across multiple copies of hidden subgroup states can be useful for 
(■-<■) , efficiently solving the nonabelian HSP. 
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1 Introduction 

O 

The hidden subgroup problem (hsp) stands as one of the major challenges for quantum compu- 
tation. Shor's discovery of an efficient quantum algorithm for factoring and calculating discrete 
logarithms [30], which essentially solves the abelian HSP [4, 19], focused attention on the question of 
what computational problems might be solved asymptotically faster by quantum computers than 
by classical ones. In particular, we would like to understand when the nonabelian hidden subgroup 
^5 | problem admits an efficient quantum algorithm. 

Considerable progress on this question has been made since Shor's discovery. Efficient quantum 
algorithms have been found for the case where the hidden subgroup is promised to be normal and 
there is an efficient quantum Fourier transform over the group [13], or where the group is "almost 
abelian" [12] or, more generally, "near-Hamiltonian" [11]. In addition, efficient algorithms have 
been found for several groups that can be written as semidirect products of abelian groups: the 
wreath product Z2 I Z2 [28], certain groups of the form Z n fc x Z2 for a fixed prime power p k [10], 
g-hedral groups with q sufficiently large [21], and particular groups of the form Z p fc x Z p with p an 
odd prime [17]. 

Unfortunately, efficient algorithms have been elusive for two cases with particularly significant 
applications: the dihedral group and the symmetric group. An efficient algorithm for the HSP over 
the symmetric group would lead to an efficient algorithm for graph isomorphism [4, 7, 3, 16], and an 
efficient algorithm for the dihedral hsp (based on the standard approach described in Section 2.1) 
would lead to an efficient algorithm for certain lattice problems [26]. While no polynomial-time 
quantum algorithms for these problems are known, Kuperberg recently gave a subexponential (but 
superpolynomial) time and space algorithm for the dihedral HSP [20], and Regev improved the 
space requirement to be only polynomial [27]. 
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Recently, we have advocated an approach to solving hidden subgroup problems based on a 
state estimation technique known as the pretty good measurement (pgm). The standard approach 
to solving the HSP with a quantum computer (described in detail in Section 2.1) reduces the problem 
to the quantum mechanical task of distinguishing the members of an ensemble of hidden subgroup 
states. For the dihedral hsp, we showed that the PGM is in fact the optimal measurement for 
distinguishing any number of copies of the hidden subgroup states, that it successfully identifies 
the hidden subgroup with a polynomial number of copies of the states (for which we gave a tight 
lower bound), and that its implementation is closely related to an average-case subset sum problem 
[2]. Unfortunately, this subset sum problem appears to be difficult, so the approach did not yield 
an efficient algorithm for the dihedral hsp. 

In this paper, we continue our study of the PGM as a tool for solving hidden subgroup problems. 
We apply the method to all groups that can be written as a semidirect product A x Z p of an abelian 
group A and a cyclic group of prime order p. As in the case of the dihedral group, the PGM for 
these groups is closely related to a certain kind of average-case algebraic problem, which we call the 
matrix sum problem. For some groups, the matrix sum problem can be solved efficiently, leading to 
an efficient algorithm for the HSP. We demonstrate this for two classes of groups in Sections 5 and 6. 
In Section 5, we give an efficient algorithm for metacyclic groups Z^r x Z p with N/p = poly(log N), 
generalizing the result of [21] for p-hedral groups, which requires N prime. In Section 6, we give an 
efficient algorithm for any group of the form Z£ X Z p for fixed r, including the Heisenberg group, the 
unique nontrivial semidirect product 7L 2 p x Z p . For the groups Z£ x Z p , the matrix sum problem is a 
system of polynomial equations over a finite field, which can be solved efficiently using Buchberger's 
(classical) algorithm for computing Grobner bases [5]. For the metacyclic groups, the matrix sum 
problem requires the calculation of discrete logarithms, which can be done efficiently using Shor's 
algorithm [30]. In both cases, the algorithm uses abelian Fourier transforms, but does not explicitly 
use a nonabelian Fourier transform. 

To simplify the PGM approach to the HSP, we find it useful to focus on a specific set of subgroups 
rather than allowing the hidden subgroup to be arbitrary. For the dihedral group, Ettinger and 
H0yer showed that it is sufficient to consider the case where the hidden subgroup is either trivial or 
has order 2. In Section 3, we give an analogous reduction showing that it is sufficient to consider 
subgroups that are either trivial or cyclic and of order p. In fact, this reduction alone is sufficient 
to solve the HSP over some nonabelian groups, such as Z2 l%>2 (cf. [28]) and the groups P p>r of [17]. 

It is well known that the query complexity of the hidden subgroup problem is polynomial, and 
in particular, that only polynomially many copies of the hidden subgroup states are sufficient to 
solve the problem in general [9]. However, measurements that operate on a single hidden subgroup 
state at a time are in general not sufficient — in particular, they are insufficient for the symmet- 
ric group [22]. Kuperberg's algorithm for the for the dihedral hsp depends essentially on using 
entangled measurements on multiple copies of the hidden subgroup states [20] , but unfortunately 
does not run in polynomial time. As far as we know, our algorithm for the HSP over groups of 
the form TIL x Z p is the first efficient quantum algorithm to use entangled measurements across 
multiple copies (specifically, r copies) of the hidden subgroup states. This result provides hope that 
the distinguishability of polynomially many copies of hidden subgroup states may lead to further 
efficient algorithms through the implementation of entangled measurements. 

The remainder of the article is organized as follows. In Section 2.1 we review the hidden 
subgroup problem and the standard approach to solving it with a quantum computer, and in 
Section 2.2 we review some relevant facts about semidirect product groups. Then, in Section 3, 
we give the reduction to cyclic subgroups. In Section 4, we present the pretty good measurement 
approach in detail, describing the relationship between hidden subgroup states and the matrix sum 
problem, computing the success probability of the PGM, proving its optimality, and explaining how 
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to implement it on a quantum computer. We apply the approach to specific groups in Sections 5 
and 6, and we conclude in Section 7 with a discussion of the results and some open problems. 



2 Definitions 

2.1 Hidden subgroup problem 

Let G be a finite group. We say that a function / : G — > S (where S is a finite set) hides the 
subgroup H < G if / is constant and distinct on left cosets of H in G. The hidden subgroup 
problem is the following: given the ability to query the function /, find a generating set for H. 

To approach the HSP with a quantum computer, we must have the ability to query / in superpo- 
sition. In particular, we are provided with a quantum oracle Uf acting as Uf : \g,y) > Issy ©/(#)) 
for all g £ G and y £ S, where © denotes the bitwise exclusive or operation, and the elements of S 
are represented by bit strings of length poly (log |G|). An efficient quantum algorithm for the hsp 
is an algorithm using this black box that finds a generating set for H in time poly (log |G|). 

The standard approach to solving the hsp on a quantum computer is as follows. Create a 
superposition over all elements of the group and then query the function in superposition, giving 



Next, discard the second register, leaving the first register in a mixed state whose form depends on 
the hidden subgroup H, 



where K C G is a complete set of left coset representatives of H in G. We call pn the hidden 
subgroup state hiding the subgroup H. In the standard approach, one attempts to determine H 
using samples of hidden subgroup state pu- 

2.2 Semidirect product groups 

The semidirect product of two groups A, B is defined in terms of a homomorphism <p : B — ► Aut(A), 
where Aut(A) denotes the automorphism group of A. The semidirect product group Ayi^B consists 
of the elements (a, b) with a £ A and b £ B. With group operations in A and B written additively, 
the group operation in A B is defined as (a, b)(a', b') = (a + ip(b)(a'), b + b 1 ). It is not hard to 
show that group inversion satisfies (a, b)" 1 = (ip(—b)(—a), —b). 

We consider the hidden subgroup problem for semidirect product groups G = A Z p , where 
A is an abelian group and p is prime. In this case, since (p is a homomorphism of a cyclic group, it 
is determined entirely by </?(l) (in particular, <p(p) is the identity map); hence, with a slight abuse 
of notation, we let ip := </?(l) (an automorphism of ^4) henceforth, and define (p b := {ip o • • • o ip) (6 
times), giving ip(b) = <p b . 

We will be especially interested in cyclic subgroups of such a semidirect product group. For any 
a £ A, we have ((a, 1)) = {(0, 0), (a, 1), (a + <p(a), 2), (a + tp(a) + 9? 2 (a), 3), . . .}. For convenience, 
we introduce the function &( b ^ : A — ► A defined by 

6-1 




(1) 






(3) 



i=0 



such that the elements of ((a, 1)) are (a, l) b = ($^(a), b mod p) for b £ N. 
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3 Reduction to cyclic subgroups 



To simplify the hidden subgroup problem over semidirect product groups, we can reduce the prob- 
lem to that of finding either the trivial hidden subgroup or a hidden cyclic subgroup of order p. 
This reduction generalizes a result of Ettinger and H0yer, who reduced the dihedral hsp to the 
problem of finding a trivial hidden subgroup or a hidden reflection (an order 2 subgroup). 

Lemma 1 (cf. Theorem 2.3 of [8]). To find an efficient algorithm for the hsp over ixZj, with 
p prime, it suffices to find an efficient algorithm for the hsp over A2 x Z p for any A2 < A with the 
promise that either H is trivial or H = ((d, 1)) for some d G A2 with \H\ = p. 

Proof. The proof proceeds along the lines of the Ettinger-H0yer reduction. Their idea is to factor 
out the part of the hidden subgroup that lies within A. For generalized dihedral groups (p = 2, 
99(a) = —a), their reduction goes through unchanged, as noted in [10]. However, in some cases 
there is an additional complication coming from the fact that the A-part of the hidden subgroup 
may not be normal in G. Fortunately, we can deal with this case separately. 

Let / : G S hide a subgroup H. Let Gi := Ax {0}, and let H x := HnGi =: A 1 x {0}. Since 
/ restricted to the abelian group G\ hides the subgroup Hi, we can efficiently find generators for 
Hi by solving an abelian hidden subgroup problem. 

We would like to factor out Hi, so we check whether it is normal in G. For g = (a, b) G G and 
hi = (h,0) G Hi, we have gh x g' x = (a, b)(h, 0)(v?- fc (-a), -b) = (<p b (h),0). Therefore Hi < G if 
and only if ip{H{) = Hi, where (p(Hi) := {{<p{h), 0) : h G ^1}. If Hi / H, then <p(Hi) = H x : since 
p is prime, there must be some (d, 1) G H, and for any h G Ai, (d, l)(/i,0)(d, l) -1 = (ip(h),0) G H, 
hence ip(h) G A\. 

If Hi = H, it could be that tp(Hi) / Hi. However, given a generating set for Hi, we can 
check whether Hi < G (for example, we can use the results of [31]; note that G is solvable since 
its commutator subgroup is abelian 1 ). If we find Hi ^ G, then we know that H = Hi, and we are 
done. Otherwise, we learn that Hi < G, and we proceed to factor out Hi. 

The (left) cosets of Hi in G can be represented as follows: for g = (a, b) G G, 

gHi = {(a, b)(h, 0) : h G A x } = {(a + <p b (h),b) : h G A x } = {(a + h, b) : h G A x } . (4) 

Thus the cosets can be labeled by b G Z p and a G A2 := A/Ai. Now we work in the group 
G 2 := G/Hi ^ 2 x^, 2 Zip whose elements are these cosets. Note that G2 inherits its defining 
automorphism (f2 from the original automorphism ip. 

Since / is constant on cosets of H\ < H, we can consider it as a function / : G2 — > 5 1 with 
the hidden subgroup #2 := H/H\. li Hi = H then i?2 is trivial. If Hi / then we must have 
H = (Hi, (a, 1)) for some a £ A, which can be seen as follows. Since p is prime, there must be some 
(a, 1) G H; but for any additional (a', 1) G H, we have (a', l)(a, 1) _1 = (a' — a, 0) G and hence 
(a',1) G (Hi,(a,l)). Also, note that ((a, l))ni?i = (($^(a), 0)). Thus, by the second isomorphism 
theorem, tf 2 = H/Hi ((a, l))/(($W(a),0)), which is a cyclic group of order p generated by (d, 1) 
for some d G A2. □ 

From now on we assume that the hidden subgroup is H = ((d, 1)) = {(&( b \d), b) : b G Z p } for 
some d £ A. Note in particular that since \H\ = p, we have $(p)(d) = 0. 

This reduction alone is enough to solve the HSP over some semidirect product groups. For 
example, the HSP over the wreath product groups Z?> I Z2 (for which an efficient quantum algorithm 

1 In some cases, the results of [31] may not be required; for example, in the case A = 7L r v considered in Section 6, 
Hi can be viewed as a subspace, and it is sufficient to check whether this subspace is invariant under the action of 
the matrix fi that defines the automorphism if. 
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was given in [28]) and Z p r x^Zp with 99(a) = (p r_1 + l)a (for which an efficient quantum algorithm 
was given in [17]) are both reduced to instances of the abelian HSP. However, in general, we are 
left with a nonabelian hsp, which we attempt to solve using the pretty good measurement. 



4 The pretty good measurement approach 

In this section, we present the pretty good measurement approach to the hidden subgroup problem 
over G = A x Z p . We begin in Section 4.1 by describing the hidden subgroup states and expressing 
them in terms of a certain algebraic problem called the matrix sum problem. Then, in Section 4.2, 
we describe the pretty good measurement for distinguishing these states. In Section 4.3, we give 
an expression for the success probability of the measurement (as well as general upper and lower 
bounds), and in Section 4.4, we prove that the measurement is optimal. Finally, in Section 4.5, we 
explain how the measurement can be implemented by solving the matrix sum problem. 

4.1 Hidden subgroup states and the matrix sum problem 

According to (2), the hidden subgroup states are uniform mixtures of uniform superpositions over 
the left cosets of H in G. A complete set of left coset representatives of H = ((d, 1)) in G = A x Z p 
is given by L = {(£, 0) : £ £ A}, and we have the coset states 

\M ■= \ E \^m {h \d\b)) = -L £ \£ + & b \d),b). (5) 
vP be z p vP beZp 

The hidden subgroup state is 

Pd = rji^2\^e,d)(^e,d\- (6) 



Fourier transforming the first register (over A) gives 

Pd=TT\^$*,d)$x,d\ where $x,d) := ~F 2 Xx(<S> (h) (d))\x,b) 

l A l rcA VP 



(7) 



and where Xx '■ A — > C for x G A denotes the xth group character of A, satisfying Xx ■ Xx' = Xx+x' 
and Xx{y) = Xy(x)- (For example, for A = Z N , Xx{v) = exp(2mxy/N); for A = Z£, Xx{y) = 
exp(2vri(x • y)/p).) 

By Lemma 7 in Appendix A, there exists a function <3?( b ) : A — > A such that Xx(& b \d)) = 
X*(i>)(x)( d ) for a11 d ' x £ A > hence 

P d = TG~\Yj Yj Xm(x)( d )x$(c) {x) (d)\x,b)(x,c\. (8) 

' ' x£Ab,c£Z p 

For k copies, we have simply 

^ k = jG^Y E ^) (l) (rf)X4(c) (l) (rf)k,6)(^c| (9) 



\G\ f 

xeA k b,c&l& 



where for b G Z^ and x G ^4 fc , 



fc 



j'=i 
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To simplify this expression further, for any x G A k and w G A, let := {6 G : &( b \x) = w} 
denote the set of solutions to the equation l>( 6 )(x) = w, let rf^ := |S^| denote the number of such 
solutions, and let 



denote the (normalized) uniform superposition over all solutions. (If rj^ = 0, then no such state can 
be defined, and we use the convention \S^} = 0.) Then the hidden subgroup state can be written 

P? = ^lE E xMMQVtfrf\x,SZ){x,£%\. (12) 
1 1 xeA k w,veA 

Clearly, the hidden subgroup states are closely connected to the problem of finding solutions 
b G to the equation 

& b )(x)=w, (13) 

where ifi' and w £ A are chosen uniformly at random. We refer to this problem as the matrix 
sum problem because we can represent ip as a matrix fi, and hence l>( 6 ) as a sum of matrices 
(see Appendix A). In the case A = TL^ of Section 5, the matrix sum is a sing le scalar G Z* , 
while in the case A = 7L' V of Section 6, G 2Z xr is the transpose of the matrix representing 

In general, the matrix sum problem will have many solutions when k is large, and few solutions 
when k is small. Since J2 w eA = P k ■, the expected number of solutions is 

E M] = t£. (14) 

x€A k ,w£A \A\ 

Thus, we typically expect the matrix sum problem to have many solutions for k 3> log p \A\ and few 
solutions for k <C log p \A\. In fact, we often find a sharp transition at k ~ log p \A\. 

Note that for the dihedral group of order 2N, A = Zjy and p = 2 with ip{x) = —x, the matrix 
sum problem is the average-case subset sum problem [2], while for the abelian case with ip(x) = x 
(so that $( 6 )(x) = bx), the matrix sum problem is simply bx = w. 



4.2 The measurement 

The pretty good measurement (PGM, also known as the square root measurement or least squares 
measurement) is a positive operator valued measure (povm) that often does a pretty good job of 
distinguishing members of an ensemble of quantum states [14]. For the ensemble of states aj with 
equal a priori probabilities, the PGM {Ej} is given by 

Ej := E-^Oj.E -1 / 2 where E:=^<7j, (15) 

3 

and the inverse is taken over the support of E. Clearly, the PGM is a povm over the support of the 
ensemble. 

For our ensemble of hidden subgroup states, using k copies of the state, we have 

E:=J>f = jJ4£ $>*k,S*X*,S*| (16) 
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where we have assumed for simplicity that the subgroup ((j, 1)} has order p for every j G A. Since 
£ is diagonal, the square root of its inverse (over its support) is particularly easy to calculate. 
Inserting (12) and (16) into (15), we find the measurement operators 

E i = YA\ E E xMXvti)\x,S5,){x,S%\. (17) 

x£A k w,v£A 

This defines the pretty good measurement for distinguishing order p hidden subgroup states of G. 

To solve the HSP using Lemma 1, we must also identify the trivial subgroup. However, if the 
PGM correctly identifies an order p subgroup when one exists, we can simply look for an order p 
subgroup and check whether the function is constant on the identity and some generator, which it 
will not be if the hidden subgroup is in fact trivial. Therefore, from now on we focus on finding an 
order p hidden subgroup. 

In general, G will have some subgroups ((j, 1)) of order p and some such subgroups whose 
orders are larger integer multiples of p. In this case, (17) is not, strictly speaking, the PGM for 
distinguishing the order p hidden subgroups alone. Furthermore, the state (12) for d corresponding 
to a non-order p subgroup is not even a hidden subgroup state. However, since (12) is always a 
valid quantum state, the resulting PGM is well defined. It is convenient to work with this PGM 
even when not all subgroups ((j, 1)) have order p. If the measurement identifies the order p hidden 
subgroups with reasonable probability, then by Lemma 1, this is sufficient to solve the hsp. 



4.3 Success probability 

The probability of successfully identifying an order p hidden subgroup ((d, 1)) is independent of d, 
and is given by 

Pr(success) := tr E d pf = £ ( £ * . (18) 

' ' xeA k weA 

For the PGM to successfully solve the HSP, this probability must not be too small. Whether the 
success probability is appreciable essentially depends on whether the corresponding matrix sum 
problem has many solutions. Specifically, we have the following: 

Lemma 2 (Cf. Theorem 2 of [2]). If Pr(ryJ, > a) > (3 for uniformly random x G A k and 
w G A (i.e., if most instances of the matrix sum problem have many solutions), then a(5 2 \A\/p k < 
Pr(success) < p k /\A\. 

Proof. For the upper bound, we have 

Pr(success) < E ( E ' = ^ ( 19 ) 

1 1 xeA k w&A 1 1 



since the ry's are integers and ^2 weA Vj^ = p for any x. For the lower bound, we have 



Pr(success) > ^(r^TT E E V^SJ 

1 Vl 1 ~eA k w£A 



(20) 



by Cauchy's inequality applied to (18). Now 



HIITI E E > v^Pr(r?£ > a) , (21) 

1 1 xeA k weA 

so by the hypothesis, Pr (success) > af3 2 \A\/p k as claimed. □ 
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4.4 Optimality 



In fact, the pretty good measurement is the optimal measurement for distinguishing the states (12), 
in the sense that it maximizes the success probability (18). This can be seen using the following 
result of Holevo and Yuen, Kennedy, and Lax: 

Theorem 3 ([15, 32]). Given an ensemble of states o~j with equal a priori probabilities, the 
measurement with povm elements Ej maximizes the probability of successfully identifying the state 
if and only if J2i = X), E i a i and YLi °i E i > a j f or aU 3- 

The optimality of the pgm (17) can be proved by directly verifying these conditions. Note 
that this optimality does not necessarily follow from [23], as the hidden subgroups may not be 
conjugates. However, the same basic principle is at work. 

Identifying the optimal measurement can be useful for proving lower bounds on the number 
of hidden subgroup states required to solve the HSP [2]. Of course, for the purpose of finding an 
efficient algorithm, it is not necessary for the measurement to be optimal; rather, it is sufficient for 
it to identify the hidden subgroup with reasonable probability. In fact, it may be that a suboptimal 
measurement which nevertheless is sufficient to solve the HSP is significantly easier to implement 
than the optimal one. However, it is encouraging to find that a particularly straightforward mea- 
surement is in fact optimal, and we will see that this measurement does lead to efficient algorithms 
in some cases. Together with the result of Ip showing that Shor's algorithm implements the optimal 
measurement for the abelian hidden subgroup problem [18], this suggests that identifying optimal 
measurements may be a useful guiding principle for discovering quantum algorithms. 



4.5 Implementation 

To find an efficient quantum algorithm based on the pgm, we must show how to implement the 
measurement efficiently on a universal quantum computer. Unsurprisingly, this implementation is 
also closely related to the matrix sum problem. 

According to Neumark's theorem [24], any povm can be implemented by a unitary transforma- 
tion on the system together with an ancilla, followed by a measurement in the standard basis. In 
particular, for a POVM consisting of N rank one operators Ej = \ej)(ej\ in a D-dimensional Hilbert 
space, U has the block form 

<*> 

where the columns of the N x D matrix V are the D-vectors \ej), i.e., V = J2f=i \ j)( e j\- 

Recall from (17) that the POVM operators for the PGM on hidden subgroup states can be written 

Ej = £ \x)(x\ ® Ef where Ef := |ef ><ef | with |e|) :=-j=^ X w (j)\S x J . (23) 

In other words, each Ej is block diagonal, with blocks labeled by x € A h , and where each block is 
rank one. Thus, the measurement can be implemented in a straightforward way by first measuring 
the block label x and then performing the povm {E?}j e A conditional on the first measurement 
result. 

To implement the povm {E?}j e A using Neumark's theorem, we would like to implement the 
unitary transformation U x with the upper left submatrix 

V* = -ft= E XU3)\J)(S X W \- (24) 
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It is convenient to perform a Fourier transform (over A) on the left (i.e., on the index j), giving a 
unitary operator U x with upper left submatrix 

Vx = m E xUj)Uj)H(s x v \ = ^2H(s x w \- (25) 

j,w,vEA weA 
Therefore, the PGM can be implemented efficiently if we can efficiently perform the transformation 

(26) 




where is any state allowed by the unitarity of U x . We refer to (26) as quantum sampling 
of solutions to the matrix sum problem. If we can efficiently quantum sample from matrix sum 
solutions, then by running the circuit in reverse, we can efficiently implement U x , and hence the 
desired measurement. 



5 Metacyclic groups 

In this section, we present our first application of the PGM approach to a particular class of groups, 
those of the form Zjy x Z p with p prime. All such groups are metacyclic. The possible automorphisms 
<p correspond to multiplication by some fi G Z^-, so that <p(a) = [ia. For (p p to be the identity map, 
we must have \xf = 1 mod N. The function &( b > can be represented by the sum 

6-1 

M (t) :=^/i l , (27) 

i=0 

so that $W(a) = ¥ b \a) = M^a. 

Note that because (//) < Z^, Lagrange's theorem implies that p divides |Z^| = (f>(N), where 
4>(N) denotes the Euler totient function of N, i.e., the number of elements of Z^r that are relatively 
prime to N. To give an efficient algorithm, we require that N and p be fairly close; in particular, 
we require N/p = poly(log N). 

5.1 Solution of the matrix sum problem 

To apply the PGM to the HSP over groups of the form Zjy x Z p , we must understand the matrix sum 
problem for such groups. In general, the problem is the following: given uniformly random x G Z^ 
and w G Z^r, find b G Z p such that Ylj=i M^Xj = w. We note in passing that if /j, — 1 G Zj^ 
(which is always the case if, for example, N is prime), then we can sum the geometric series (27) 
to obtain M (b "> = (// - l)/(fi - 1), and in particular, = 0, so that \((d, 1))| = p for all d G Z N . 

However, for the following, we do not need to assume that N is prime, that fj, — 1 G Z^, or even 
that M W = 0. 

For k = 1, the matrix sum problem M^x = w is particularly easy to solve. Assume that 
x G Z]^, which occurs with probability <j>{N)/N G 0,(1/ log log N), so that we can rewrite the 
equation as MO = w/x. 

If such a b exists, it must be unique, since 

M (b) M {V) for b ^ y G ^ which 

can be seen 

as follows. Supposing the claim is false, with b > b' without loss of generality, — M^ b ) = 

^>' M {b~V) = Q) go M (6-&') = For ^ _^ 1; ^ < z x hag 1^)1 = p s i nC e = 1. Using the identity 

(/z - 1)M^ = n b - 1 , (28) 
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it is clear that M^ b = implies that b — b' is a multiple of p. But since b, b' G Z„ 

with b ^ b' , this is a contradiction. 

Now from (28), we see that by solving the discrete logarithm problem /j, b = 1 + (fi — l)w/x 
for b, we solve the matrix sum problem. The discrete logarithm can be calculated efficiently using 
Shor's algorithm [30], which implies that the unique solution to the matrix sum problem can be 
found efficiently when it exists. 

For the pgm to be successful with reasonably high probability, the equation = w/x must 
be likely to have a solution. Since the various values of b G Z p yield p distinct possibilities for 
M^ b \ and since w/x is uniformly random in Z^r under the assumption x G Zj^, a solution exists 
with probability p/N, which is not too small given N/p = poly(log iV). Taking into account the 
probability that x G Zj^, a solution exists with probability at least <p(N)p/N 2 . Therefore, by 
Lemma 2, the pgm succeeds with probability l/poly(logiVp), and we have 

Theorem 4. For p prime and N arbitrary with N/p = poly(logiV), the hidden subgroup problem 
over Ztv x Z p can be solved in time poly (log Np). 

This generalizes a result of [21], which proves Theorem 4 in the case where N is prime. 

If N/p were superpolynomial, then we could imagine solving the problem by implementing the 
PGM with k > 1 copies of the hidden subgroup state. However, in this case, the matrix sum problem 
is not simply a discrete logarithm, so it is not clear whether it can be solved efficiently. 



5.2 Stripped down algorithm 

Since the pgm approach described above requires only k = 1 copy of the hidden subgroup state, 
it yields a very simple quantum algorithm. Here we present this result without reference to the 
general framework, giving an algorithm that is quite straightforward, especially in comparison to 
the earlier algorithm of [21], which requires a nonabelian Fourier transform. 

Consider the order p hidden subgroup H = {{M^d,b) : b G Z p } for d £ Z N with M^d = 0. 
The left cosets are of the form (£,0)H for £ G Z^, and the corresponding coset states (5) are 

\^ d ) = ^-Y,\ l+M(V)d ^- ( 29 ) 

v P help 

Applying the Fourier transform over Zat to the first register, we obtain 

hM = 4r E £^ +M(6M l^> (30) 



where to := exp (2it'\/N). Now measure the first register and assume that the result is some x G Z^, 
which happens with probability (j){N) /N. Then append an ancilla register to this state and perform 
the calculation \b, 0) i-> \b,xM^), giving the state 

±J2u xM{b)d \b,xMW). (31) 

Note that for any fixed b G Z p , M^> can be calculated efficiently by repeated squaring, using the 
fact that M( 2fc ) = (1 + fi b )M^ b \ 

Now we perform a classical computation to erase the value of b. With the expression (28) and 
knowledge of x G Z^ and fi, we can efficiently perform the computation \xM^ b \0) \xM^ b \ //). 
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Then, using Shor's discrete logarithm algorithm, we efficiently compute \xM^ b \ fi b ) \xM^\b). 
Using this procedure to erase the value of b, we see that we can produce the state 

— £ " xM(b)d \xMW) . (32) 

Finally, we perform an inverse Fourier transform over Zjv and observe the register in the hope 
of obtaining d. To calculate the probability of this happening, consider the perfect state 

\d) ■■= -4= E <j d w > ( 33 ) 

which would be guaranteed to yield the answer d. The overlap between the perfect state (33) and 
the actual state (32) is y/p/N, so the probability of observing d is at least p/N. Thus, overall, 
we find a success probability of at least 4>(N)p/N 2 . Because <j)(N)/N € 0(1/ log log AT), and 
N/p = poly (log AT) by assumption, simply repeating the above protocol N 2 /(fr(N)p = poly(log Np) 
times gives an efficient quantum algorithm for the HSP over Zjy x Z p . 



6 Groups of the form Z£ x Z p 

We now turn to another class of semidirect product groups, those of the form If x^Zp. We find an 
efficient quantum algorithm for such groups for any ip, so long as r is constant. In other words, the 
running time of the algorithm is poly(logp). The algorithm is particularly simple in the case r = 2, 
where the only nontrivial semidirect product is known as the Heisenberg group (for which it was 
recently shown that there is an efficient quantum algorithm whose output information theoretically 
determines the solution of the HSP [25]). We present the algorithm for r = 2 in Section 6.1, and 
then proceed to the general case in Section 6.2. 

In general, when A is the elementary abelian p-group A = W , its automorphism group is 
Aut(Zp = GL r (Z p ). Therefore, <p can be identified with a nonsingular matrix jjl G GL r (Z p ) such 
that n p = I. As before, we define := £-=d A** so that $ {b) (a) = M^a (see Appendix A). 



6.1 The Heisenberg group 

For r = 2, there are only two nonisomorphic semidirect product groups Z 2 x Z p : the abelian group 
Zp and the Heisenberg group, for which 

" = (J !)' < 34 > 

The matrix sum problem for the Heisenberg group is the following: given uniformly random x, y £ 
Zp and w,v € Z p , find b 6 Zp such that 

k 6,-1 

' Xi \ I w 



j=l i=0 

Clearly, 



i=0 
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where s is the multiplicative inverse of —2 in the finite field Z p , defined by p = 2s + 1. Therefore 
the matrix sum problem can be written 

Eft s V ,, )GH»)' <37> 

If & = 1, then it is not hard to see that the probability of having a solution is 0(l/p), i.e., 
exponentially small in log p. However, if we take k = 2, then there are as many variables as (scalar) 
equations, and we find the matrix sum problem 

bixi + s6i(l - h)yi + b 2 x 2 + sb 2 (l - b 2 )y 2 = w (38) 

biyi + b 2 y 2 = v (39) 

with uniformly random x\, x 2 ,y\,y 2 , w, v G Z p . 

The equations (38-39) can be solved as follows. Define 

A := (2wy 1 + vy 1 - v 2 - 2vx 1 )(y 1 + y 2 )y 2 + (vy 2 + xiy 2 - a?22/i) 2 ■ (40) 

If A is a nonzero square in Z p and y\,y 2 , y\ + y 2 ^ 0, then there are two solutions for (b\,b 2 ): 

vy 1 + x 2 y x - xiy 2 ± y/A vy 2 + xiy 2 - x 2 y x =F a/A 
Oi = -; r and b 2 = . (41) 



-. r and b 2 = r- 

yi{yi + y2) 2/2(2/1 + ^2) 



It is straightforward to check that (bi,b 2 ) is indeed a solution. If A = then these two solutions 
are the same, and there is only one solution. Finally, if A is nonsquare, then there are no solutions. 
To calculate the success probability of the pgm, we must determine the probability that 
V2, yi + 2/2 7^ and A is a square in Z p . First, note that since 2/1,2/2 are uniformly random, we 
have 2/1,2/2, (2/1 + 2/2) / with probability (p — l)(p — 2)/p 2 = 1 — 0(l/p). Now rewrite A as 

A = 2wyiy 2 (yi + y 2 ) + [v(yi - 2x\ - v)(y 1 + y 2 )y 2 + (vy 2 + x\y 2 - x 2 y{f\ . (42) 

Assuming 2y±y 2 (yi + y 2 ) / 0, A depends linearly on w. Hence, if we fix x\, x 2 , y±, y 2 , v and choose 
w uniformly at random from Z p , then A will also be uniformly random in Z p . Of the possible 
values of A € Z p , we have (p — l)/2 cases with y/A 7^ 0, (p — l)/2 cases with A not a square, and 
one case with A = 0. Therefore, under the assumption yi, y 2 , 2/1 + 2/2 / 0, we have 

Pr(7&* = 0) = J - 4 (43) 
P« = 1) = I (44) 
Pr(^ = 2) = \ - ± . (45) 

1 
2 



In particular, we see that Vi{r]w% = 2) = ^ — 0(l/p). Therefore, by Lemma 2, Pr(success) > 
\-0{l/p). 

Since the above discussion gives an explicit solution of the matrix sum problem, and since 
arithmetic in the finite field Z p can be performed in time poly(logp), it is straightforward to 
efficiently implement the quantum sampling transformation (26). 2 Combined with the fact that 
the success probability of the PGM is large, this shows that the hidden subgroup problem in the 
Heisenberg group can be solved efficiently. 

2 For example, given the ability to compute a list of solutions b\, . . . , b v with rj small, the following simple trick can 
be used to efficiently create the uniform superposition. Create the labeled superposition YLj^i^ |j> Fourier 
transform the first register (over Z^), and measure the first register. When the outcome is 0, which occurs with 
probability 1/r/, the desired state is obtained. Finally, use 0(r/) repetitions to boost the success probability close to 
1, and implement the measurement unitarily. 
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6.2 The general case 

More generally, consider the group TL r v 7L p for any constant r and for any automorphism tp, 
i.e., for any matrix fi satisfying fi p = I. It is easy to see that matrices related by a similarity 
transformation correspond to isomorphic groups. Thus, without loss of generality, we can assume 
that fi is in Jordan canonical form, or in other words, that it is zero everywhere except the diagonal 
and first superdiagonal, and that the elements on the first superdiagonal are either or 1. Since 
[jP = /, the diagonal elements of this fi must all be equal to 1. Thus the various nonisomorphic 
groups of the form 7H' V x Z p correspond to the partitions of r, where the partitions describe the sizes 
of the Jordan blocks. 

For simplicity, we consider the case of a single Jordan block of size r; the extension to other 
cases will be clear. In other words, we consider the r x r matrix 



/l 1 
1 






1 



. -.o 
. 1 1 

\0 ■■■ lj 

Then the 6th matrix sum := I + fi + fi 2 + ■ ■ ■ + is given by 

Ai) (S) (a) ••• C)\ 



(46) 



\2) V37 



o o '•• '■. 







\1J \2. 



mod p . 



(47) 



Note that = = 0. If /j. consists of several Jordan blocks, then (47) can be applied in 

each block. 

The matrix sum problem is thus the following: given uniformly random x € {%V) k and w 6 ZL 
find b £ Z£ such that £j? =1 Xj = w. This is a set of r polynomial equations over Z p in k 
variables. For example, in the case of a single Jordan block, we have 



E 



+ ... + 



(48) 



for all 1 < i < r, where the ith equation is of degree i. 

If k < r, so that there are fewer unknowns than equations, we expect that the matrix sum 
problem will typically have no solutions. On the other hand, if k > r, we expect that the ideal 
generated by (48) will typically have dimension k — r, and there will be 0(p k ~ r ) solutions. By 
choosing k = r, we can ensure that there are typically 0(1) solutions, so that the PGM succeeds, 
yet the solutions of the matrix sum problem are few in number and thus relatively easy to find 
(and to quantum sample). 

This intuition can be formalized by calculating the mean and variance of the number of solutions. 
Using such an argument, we find the following: 
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Lemma 5. For the matrix sum problem of any group 7L r v x Z p with k = r, Pr(r/J, = 1 or 2) > ^. 
Proof. See Appendix B. □ 

By Lemma 2, this shows that Pr (success) > 1/16, even if we only consider the cases in which 
the number of solutions is at most 2. Thus, the pretty good measurement succeeds in identifying 
the hidden subgroup. 

To efficiently implement the pgm, we quantum sample from solutions of the matrix sum problem, 
which can be done by computing a list of all solutions. A list of solutions can be found by first using 
Buchberger's algorithm to compute a Grobner basis for the ideal and then using elimination theory 
[5]. In general, upper bounding the complexity of Buchberger's algorithm is a difficult problem, 
and it is known that the algorithm may be very inefficient in terms of the number of variables, the 
number of equations, and the degree of those equations. However, since we consider r constant, 
such inefficiency is not an issue. The running time in terms of p, the size of the field, enters only as 
an overall poly (log p) factor, accounting for the cost of performing arithmetic operations in a finite 
field (see for example [6]). Thus, for our purposes, a Grobner basis can be computed efficiently. 
Since we consider only the cases in which there are at most 2 solutions, elimination is also efficient, 
giving an overall poly (log p) time algorithm for computing a list of matrix sum solutions, and hence 
for quantum sampling from those solutions. 

Collecting these results, we find 

Theorem 6. The hidden subgroup problem over any group of the form T7 p x Z p with r fixed can be 
solved in time poly (log p) on a quantum computer. 

7 Discussion 

In this paper, we have studied the pretty good measurement for semidirect product groups of the 
form AyiZp with A abelian and p prime. We found that the pgm is closely connected to the matrix 
sum problem, and we exploited this connection to find efficient quantum algorithms for certain 
metacyclic groups (Section 5) as well as all groups of the form Z p x Z p with r fixed (Section 6). The 
latter algorithm demonstrates that entangled measurements may be useful for efficiently solving 
the nonabelian HSP. 

Aside from the fact that these particular nonabelian groups admit efficient quantum algorithms, 
our results suggest two general directions for further investigation. First, in the standard approach 
to the nonabelian hsp, it would be helpful to have a better understanding of when entangled 
measurements are necessary and when they can be implemented to give efficient algorithms. Second, 
for the hsp or for other problems that can be viewed as quantum state distinguishability problems, 
identifying an optimal measurement (or considering a particularly nice measurement such as the 
PGM, which in general may or may not be optimal) can be used as a principle for discovering new 
quantum algorithms. 

While the reduction of Lemma 1 combined with the pgm approach outlined in Section 4 appears 
to efficiently solve the HSP in most of the semidirect product groups where efficient algorithms are 
known, there is one notable exception. The groups Z™ XZ2 (for which an efficient quantum algorithm 
is given in [10]) give rise to a subset sum problem over Z™, which appears to be essentially as difficult 
as the subset sum problem over Zjy arising from the dihedral group. Thus, it would be interesting 
to understand what allows the algorithm in [10] to be efficient even though the matrix sum problem 
is (apparently) hard. 

Of course, there are many nonabelian groups that are semidirect products of nonabelian groups, 
or that cannot be nontrivially decomposed into semidirect products at all. The pgm approach is well 
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defined for any group, so it would be interesting to explore the approach in such cases, regardless 
of whether the PGM is optimal. 
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A Matrix representation of <f>^ 



In this appendix, we show that <3?( fe ) and l>( b ) can be represented by (simply related) matrices, and 
furthermore, that x x ($ (b) ( d )) = X&b) {x) (d). 

Lemma 7. Let A be a finite abelian group, ip G Aut(^4), b G N with the corresponding <3? : A — ► A 
defined by $ := Yl^Zo V*; an d X '■ A ~^ C a character of A. Then there exists a function <i> : A — ► A 
such that Xx(®(d)) = X$( x )(d) for all d,x £ A. 

Proof. Let A = A pi x • • • xA Pr be the elementary divisor decomposition of A, i.e., the decomposition 
into p-groups where the pi are distinct primes. Accordingly, let d = (d±, . . . , d r ), x = (xi, . . . , x r ), 

and Xx} '■ A Pi — > C such that Xx(^) = xiV(^i) " ' ' Xav(^r)- ^ is known that any automorphism 
(f G Aut(A) can be decomposed as (p = (tpi, . . . ,ip r ) with ipi G Aut(^4 pi ) [29]. Similarly, we have 
the decomposition $>(d) = (3>i(eZi), . . . , & r (d r )). Hence if we prove the lemma for p-groups, then 
this proves it for all finite abelian groups. 

Assume therefore that A is a p-group, A = x • • • x Z p e fe with e± > • • • > e&. By [29], we 
can represent ip 6 Aut(A) as a matrix transformation (x\, . . . , x&) ► (xi, . . . , Xfc)/x where /U G Z fcxfc 
and p ej_ei |/^ij for all i > j. Consequently, we can also represent the transformation <J> by a matrix 
M with p e i~ ei \Mij for all i > j. Now define a conjugate matrix Mji := p ei ~ e i Mij for all i, j (note 
that all entries of M are integers). For any character \x '■ A — > C, we find 

= exp (2mJ2 d i M i3 x i/P ej ) = ex P ( 2?ri E diXjMji/p^ = x$ (x) (d) , (49) 

ji ij 
where : A — ► ^4 is the matrix transformation defined by (xi, . . . , X&) i— > (xi, . . . , x^)M. □ 

Note that if A = Zjy (as in Section 5), then $ can be represented by a single scalar M 6 Z^v, 
and hence $ = <!>. Also, \i A = U p (as in Section 6), then M 6 Z p xr and M = M T . For notational 

simplicity, since we only need the matrix representation of $ (and not of <E>) in these two cases, we 
put ji — > /x T and M — > M T throughout the body of the paper. 



B Proof of Lemma 5 

Proof. For x € (Z™) fc , iu G Z™, and b G Z*, let 3^(6) = denote the system of polynomial equations 
(48). We want to understand the typical behavior of 

r,l:=\{b:EUb) = 0}\ = J2mUb) = 0] (50) 

b 

for uniformly random x, w. Specifically, we want to show that it is typically close to its mean, 

H-.= E WJ=P k - r (51) 
xeA k ,weA 

where we have used (14). To compute the variance, note that 

E [«,) 2 ] = — J— V {r,l) 2 (52) 



x,w 



= iE(E = °i + E = = °i 

" 31.111 \ ^ 
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The first (diagonal) term is just the mean. For the second (off-diagonal) term, note that the 
condition 5^(6) = 5^(c) actually does not depend on w, so we can write 

E [(^) 2 ] = ^ + -i T7 ^^5[Hg(6) = Hg( C )]^^(6) = 0] (55) 

b^c x w 

= ^+iEE^(6)=^)] (56) 

^ b^C X 

where we have used the fact that for any fixed x, b, there is exactly one w that satisfies the equation. 
Now for b ^ c, choose some j such that bj ^ Cj. The system of equations = Hq(c) is linear 

in x, and in the ith equation (48), the coefficient of Xij is nonzero (it is simply bj — Cj), so for any 
values of the Xij> for j' / j, we can solve the equations uniquely for the Xij, giving 

, JU [( ^ )2] = " + g ? 5[v * Xij fixed] (57) 

= // + p 2 ^ - p k - 2r . (59) 

Thus we find a 2 : = E X)10 [(i&) 2 ] — fi 2 = // -p fc " 2r = - p" r ). 

Since the variance is small, Chebyshev's inequality shows that the probability of deviating far 
from the mean number of solutions is small: 

2 

Pr(|< - Ml > c) < ^ . (60) 

For k = r, we have /u = 1 and cr 2 = 1 — p~ r , so by putting c = 2 in (60), we find Pr(^ > 3) < j. 

To see that we are unlikely to have no solutions, we need a slightly stronger bound than the 
Chebyshev inequality. Since rj^ is a nonnegative, integer- valued random variable, we have [1, p. 58] 
Pr(r/2, = 0) < cr 2 /(/x 2 + a 2 ) = (1 — p~ r )/(2 - p~ r ) < 1/2. Combining these results, we see that 
Pr(r/^, = 1 or 2) > \ as claimed. □ 
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